b'\x0cOBJECTIVE\n\nThe objective of this survey is to determine the extent of use and compliance with the SDLC at\nthe Commission. Fieldwork on this survey was initiated in September 2002.\n\n\nBACKGROUND\n\nThe Commission\xe2\x80\x99s Systems Development Lifecycle was developed as a cooperative effort\nbetween representatives from the Office of Inspector General (OIG), Information Technology\nCenter (ITC), and Commission Bureaus and Offices. The development effort began in July 1998\nand ended with the implementation of the SDLC during the last quarter of calendar year 2000.\nThe development team began researching numerous commercial off the shelf (COTS) SDLC\npackages to determine whether one existed that could be tailored to meet FCC specific standards.\nResearch included reviewing SDLCs within other government agencies. To accomplish this, the\nteam sent a development methodology-specific questionnaire to 50 agencies to determine many\nfactors, including what development approach was used, which COTS packages are used, and\nthe rate of successful development projects.\nNumerous planning meetings were held in which a model was developed and the activities,\ntasks, and roles were narrowed, modified, and tailored to meet the FCC\xe2\x80\x99s specific developmental\nrequirements. After the basic framework of the SDLC was developed, the methodology was\n"piloted" on a series of development efforts to evaluate its usefulness prior to implementation.\nThe FCC SDLC materials (i.e., SDLC phases, checklists, glossary, user guide and policy) can be\nfound at the Commissions SDLC Intranet website.\n\n\nSCOPE OF SURVEY WORK PERFORMED\n\nThis project was conducted as a survey. A survey is preliminary audit work done before an audit\nand is not an audit conducted in accordance with Government Auditing Standards (i.e., GAO\n\xe2\x80\x9cYellow Book\xe2\x80\x9d standards). The purpose of a survey is to gather general working information on\nimportant aspects of an entity, activity, or program, such as the SDLC, and to determine the\nnature and extent of any subsequent audit effort.\n\nThe purpose of this particular survey was to examine the use of the SDLC, report the results to\nthe Inspector General, and recommend the next course of action. To meet this goal, this survey\nhad a series of milestones. The first milestone was to document the SDLC coverage being\ncurrently given in the OIG\xe2\x80\x99s information system (IS) audits. Particular attention was given to\nOIG audits that have already surveyed the use of SDLC in the Commission. If the SDLC\ncoverage in OIG audits was deemed adequate, then no further field work would be deemed\nnecessary.\n\nIf OIG coverage is not adequate, the next goal would be to analyze SDLC usage at the FCC. If\nnecessary, this will be done using a survey form. If the large majority of projects are using the\n                                             2\n\x0cSDLC, or acceptable substitutes, then no further field work would be deemed necessary.\n\n\nThe final milestone was to determine if any aspects of the SDLC need further OIG involvement\nand review. The survey report will recommend what, if any, additional action the OIG should\ntake on the SDLC and SDLC usage.\n\nTo accomplish the objectives of this survey, the OIG auditor used the following methodology.\nAn auditor reviewed SLDC information, including documentation policy, practices, roles and\nresponsibilities, templates, checklists, and the user guide. Also, an auditor interviewed\nemployees in other Bureaus and Offices, such as the Office of the Managing Director (OMD).\nITC documentation related to the SDLC was analyzed. Other Bureau and Office data, especially\ncopies of systems development checklists, were part of the review. Federal government\ndocuments, including Office of Management and Budget (OMD) circulars, were reviewed.\nFinally, an OIG auditor interviewed contractors involved in reviewing the SDLC during OIG\naudits.\n\n\nSUMMARY OF OBSERVATIONS\n\nAs part of the survey process, we evaluated the Commission\xe2\x80\x99s use of the SDLC to identify areas\nwhere weaknesses or inefficiencies exist which may require more comprehensive audit coverage.\n\nReview of the SDLC\n\nThe first step was to review the SDLC itself. The SDLC is a measurable improvement over the\nprior practices that existed. Previous to the SDLC, some projects did not use rigorous\ndevelopment criteria. This caused project delays and cost overruns.\n\nThe FCC\xe2\x80\x99s SDLC is a comprehensive set of documents. It includes a user guide, policy and\npractice manuals, a delineation of roles and responsibilities, a frequently asked questions (FAQs)\nsection, checklists, and templates. The two most important documents are the checklists and the\ntemplates. The checklists describe the six phases comprising the SDLC and links to templates\nfor associated deliverables, such as the application\xe2\x80\x99s configuration management plan. The\ntemplates allow a project manager to keep a record of the SDLC tasks preformed.\n\nThe SDLC, as promulgated, is sufficient for systems development at the Commission.\n\nPast SDLC Audit Coverage\n\nThe next step was to review coverage of the SDLC in OIG audits. The SDLC audit coverage\nwas extensive. Both financial and information systems (IS) audits covered the SDLC. The\naudit of the financial statements for Fiscal Year (FY) 2001 reviewed the use of the SDLC on the\nRevenue Accounting and Management Information System (RAMIS). The financial audit team\nwrote a finding requesting that the management adopt the FCC\xe2\x80\x99s SDLC methodology for IT\n                                            3\n\x0csystems in the RAMIS project. The FY 2002 financial statement audit also reported an SDLC\nnon-compliance finding.\n\nA number of OIG IS audits reviewed the use of the SDLC by a number of FCC applications.\nThe audit of the Automated Auctions System (AAS) reviewed how the SDLC was used by AAS.\n The review of Web Accessibility had a recommendation that accessibility be included in the\nSDLC. The follow-up review on Web Accessibility determined that accessibility was added to\nthe SDLC and closed that matter. It also reviewed remediation efforts on the International\nBureau Filing and Reporting System (IBFS) that were done using the SDLC format. Finally, the\nFY 2002 Report on the Government Information Security Reform Act (GISRA) Evaluation,\nissued January 6, 2003, audited all applicable FCC applications for compliance to GISRA. The\nreview found three applications were not following the SDLC. They were the Commission\nRegistration System (CORES), E/MTS, and the Cable Operation and Licensing System\n(COALS).\n\n\nFuture SDLC Audit Coverage\n\nThe OIG plans to perform a number of IS audits that include SDLC reviews. In FY 2004, the\nIntegrated Spectrum Auctions System (IFAS) is planned to be reviewed. One of the objectives\nof this review is to monitor and assess compliance of IFAS with the Commission\xe2\x80\x99s systems\ndevelopment life cycle (SDLC). Another audit budgeted for in FY 2004 is the COALS\napplication review. This is one of the three systems not using the SDLC.\n\nIn FY 2005 two application reviews are budgeted: Universal Licensing System (ULS) and\nCORES. CORES is one of the three systems not using the SDLC. Both will include SDLC\nreviews.\n\n\nCONCLUSION\n\nBased on the results of this survey, the Office of Inspector General should not perform any\nadditional audit work on the use of the SDLC in the Commission. Instead, the OIG should focus\ncontinue performing SDLC work as part of its future IS audits. An audit of the use of the SDLC\nwould just reiterate the findings of a number of audits, only in more detail. Further audit work\nby the OIG solely on SDLC usage would most likely duplicate the audit work currently being\ndone on IS and financial audits. For example, it would duplicate the work performed during the\nFY 2002 GISRA review. Also, this duplicative review would be costly, if contracted.\n\nTherefore, we conclude that audit coverage planned in future application reviews will provide\nsufficient oversight of SDLC implementation.\n\n\n\n\n                                            4\n\x0c'